As the Coronavirus spreads, so do malicious attempts to use people’s concerns about the virus as a cover for phishing attacks. So how do you avoid being tricked and how do you integrate best practice into your Business Continuity Plan?

In recent days both the European Union’s agency for Cyber Security and America’s Federal Trade Commission have reported spikes in COVID-19-themed attempted phishing attacks.

During times of increased stress or increased uncertainty, people are less likely to give a potentially suspect email the attention and consideration it needs and unwittingly end up opening it and clicking on a link or potentially installing malware on their system.

These seasonal, themed attacks are nothing new. Around every tax deadline there’s an increase in malicious messages purporting to be from the IRS and offering rebates or warning of potential penalties. And, unless you’re like a real life Ned Flanders from the Simpsons, who posts his return on the night before the first day of the annual campaign, there’s a chance you could be tricked into thinking the message genuine.

However, what makes phishing attacks around Coronavirus different is that it’s a topic around which we’re actively searching and actively reading. So in our thirst for more knowledge or more understanding, we are in danger of becoming active participants in our being scammed.

What is phishing and how does it work?

Phishing refers to any cyber-attack that uses a seemingly valid email or text message to trick the recipient into believing the communication is genuine and therefore clicking on a link, downloading an attachment or directly sharing a piece of personal information.

And however the message is sent and whatever its request, if successful, the result is the same – a compromised email account, bank account or even organization.

Phishing is one of the oldest hacks in the book, yet, because it’s getting more and more sophisticated it’s also still one of the most effective ways of bypassing a person’s or an enterprise’s cyber security. IBM data puts the average cost of a data breach to a U.S. firm at $3.92 million; while according to Verizon, in 30% of data breaches over the past year, phishing was successfully employed.

Why do we fall for phishing?

Key to phishing’s success as a hacking tool is its form. It is a fake message masquerading as the truth. If you receive an email from a friend containing an attachment, it’s too easy to simply open the message and click on it. Likewise, with the proliferation of online accounts we hold, for work and for private purposes – from social media and video streaming services to web-based collaborative tools and expenses management software – there are more and more opportunities for phishers to hook us and reel us in. Just think about how much email communication the typical LinkedIn member receives on a weekly basis, or how many times an Asana update lands in an employee’s inbox.

Is a COVID-19 email fake?

According to the FTC, the most common types of phishing messages that have been identified are focused around awareness and prevention tips; reports of incidents of the disease in the local neighborhood; promoting treatments or vaccines; are attempting to raise money for charities; or are offering investment advice linked to the impact of the virus on the stock markets.

In particular it’s noticed an increase in messages purporting to be from the Centers of Disease Control and Prevention (CDC) and the World Health Organization (WHO).

What’s more, even the most security-focused and prepared enterprise could be opening itself up to a greater potential risk as more and more of the global workforce is forced to work from home. So in these unprecedented times how do you make sure you shut the door on potential attacks? Here are 10 top tips on how to avoid phishing:

1. Keep educated

When it comes to security, human capabilities have not evolved as quickly as technological capabilities. So you need to close this gap by constantly educating your employees about the risks of phishing and the steps that they need to take to avoid phishing and keep themselves and the company safe. That means everything from checking the validity of the sender before opening an email and highlighting the importance of two-factor authentication, to periodically checking in on all online accounts (personal and professional) to make sure they’re working properly and have not already been compromised.

2. Keep it about business

If employees who don’t usually work away from the office are now working from home, make it absolutely clear that their company equipment – laptop, smartphone, etc. – can only be used for business. This is one of the most effective phishing prevention measures any company can take. If an employee wants to check their personal email or social media accounts, they must do so on their own device. A phishing attack is most likely to emanate as an email from a friend or colleague’s personal account. For this reason it is crucial that companies mandate employees only use the official company email for contacting each other. If they want to chat socially, do so via a messaging app on a personal device.

Likewise make sure everyone knows that working over a shared, unencrypted Wi-Fi connection, such as that at the local coffee shop is unacceptable.

3. Keep a copy

Increased internet use is starting to put a strain on infrastructure; so much so that in Europe alone, due to a 30% spike in its use, the EU has had to ask Netflix to reduce the quality of its streaming below HD to ensure there’s sufficient bandwidth for everyone. SO with this in mind all remote employees should have a physical backup device and their computers set to automatically back up to it every hour. If a successful phishing attack results in ransomware being installed on an infected device, only one hour of work or data has been lost or compromised.

4. Keep communications simple

Make sure that HTML has been disabled for all corporate inboxes and that messages only appear in text format. This will automatically make any potentially suspicious message look less convincing. And, if an up-to-date Spam filter that can identify blank senders and viruses is installed and constantly updated this will give another layer of protection.

5. Keep passwords complicated

The most popular password in the U.S. is password. A blunt force hack will discover that without recourse to phishing to find it. Mandate long, complex non-dictionary word passwords and crucially, make it company policy that these passwords are changed at least every three months. However, it doesn’t matter how complicated a login process, if an employee leaves their computer unattended and open. Tweak default settings in mobile devices to automatically lock after a minute of downtime and drill remote workers in the importance of locking their screens when they need to leave the room – especially if they’re operating in a co-working space.

But as well as unwittingly giving a stranger access to your PC, never let a family member use your work computer, even if doing so is easier than booting up the family computer. Children in particular have a sixth sense when it comes to clicking on suspicious links or accidentally dragging a system file into the trash can.

6. Keep unwanted sites away

In the office, your company firewall and proxy server are very effective anti-phishing solutions. They limit the types of sites and sorts of pages that will load in a browser, you need to make sure your remote workforce has the same limiting browsing experience. The easiest way to achieve this and keep your system data safe is to set up and mandate the use of a VPN for all work-related activity. It will even provide protection for those forced to use public hotspots in emergencies.

7. Keep it all up to date

The best antivirus software is only as good at providing phishing protection as its most recent release. So to ensure that everyone is constantly updating all the virus and cyber security tools on their devices, set computers for mobile use to automatically require a full shutdown and restart every 24-48 hours to ensure all software updates can be automatically downloaded and correctly installed.

8. Keep resources ready

Don’t forget remote workers need IT support so make absolutely certain there are enough personnel available to handle these issues and that getting in touch with experts is not a complicated matter of creating and logging tickets and waiting for responses. Tech issues tend to bring out a very particular type of frustration in most people, so whenever possible, talking to someone will help them calm down and resolve the issue quickly.

9. Keep people informed

Even if they follow guidance to the letter, there is still a chance an employee will fall foul of a phishing attack especially at this moment in time. Therefore, make sure every remote worker understands the procedure they will need to follow to report the problem and minimize its impact on the organization.

10. Keep practicing

Just as important as educating the people in the organization who are most at risk from a phishing or other type of cyber-attack, is being certain the team who will be tasked with dealing with it are ready to do so. For this reason you should run practice drills to see how systems perform and to understand where improvements can be made.


Chris Knauer

SVP and Chief Security Officer at Sitel Group